Saturday, May 23, 2015

This week The Diplomat published an article by Dr Greg Austin titled What the US Gets Wrong About Chinese Cyberespionage. The subtitle teases the thesis: "Is it government policy in China to pass on commercial secrets obtained via cyberespionage to civil sector firms?" As you might expect (because it prompted me to write this post), the author's answer is "no."

The following contains the argument:

"Chinese actors may be particularly adept in certain stages of economic espionage, but it is almost certainly not Chinese government policy to allow the transfer of trade secrets collected by highly classified intelligence sources to its civil sector firms for non-military technologies on a wide-spread basis.

A U.S. influencing strategy toward China premised on the claim that this is China’s policy would appear to be ill-advised based on the evidence introduced so far by the United States in the public domain." (emphasis added)

I find it interesting that the author concedes theft by Chinese government actors, which the Chinese government refuses to acknowledge. However, the author seeks to excuse this activity out of concern for the effect it has on US-China ties.

One aspect of the relationship between China and the US worries the author most:

"There are many ways to characterize the negative impact on potential bilateral cooperation on cyberspace issues of the “lawfare” being practised by the United States to discipline China for its massive cyber intrusions into the commercial secrets of U.S. firms. One downside is in my view more important than others. This is the belief being fostered by U.S. officials among elites in the United States and in other countries that China as a nation is a “cheater” country..."

Then, in a manner similar to the way Chinese spokespeople respond to any Western accusations of wrongdoing, the author turns the often-heard "Chinese espionage as the largest transfer of wealth in history" argument against the US:

"In the absence of any Administration taxonomy of the economic impacts of cyber espionage, alleged by some to represent the largest illicit transfer of wealth in human history, one way of evaluating it is to understand that for more than three decades it has been U.S. policy, like that of its principal allies, to undertake the largest lawful transfer of wealth in human history through trade with, investment in and technology transfer to China."

(I'm not sure I understand the cited benefits the US has accrued due to this "largest lawful transfer of wealth in human history," given the hollowing out of the American manufacturing sector and the trade imbalance with China, which totaled over $82 billion in 1Q15 alone. It's possible I am not appreciating what the author means though.)

Let's accept, for argument's sake, that it is not "official" Chinese government policy for its intelligence and military forces to steal commercial data from private and non-governmental Western organizations. How does accepting that proposition improve the situation? Would China excuse the US government if a "rogue" element of the American intelligence community or military pursued a multi-decade campaign against Chinese targets?

Even if the US government accepted this "Chinese data theft by rogue government actor" theory, it would not change the American position: stop this activity, by whatever means necessary. Given the power amassed by President Xi during his anti-corruption crackdown, I would expect he would be able to achieve at least some success in limiting his so-called "rogue actors" during the 2+ years since Mandiant released the APT1 report. As Nicole Perlroth reported this month, Chinese hacking continues unabated. In fact, China has introduced new capabilities, such as the so-called Great Cannon, used to degrade GitHub and others.

Similar to the argument I made in my post What Does "Responsibility" Mean for Attribution?, "responsibility" is the key issue. Based on my experience and research, I submit that Chinese computer network exploitation of private and non-governmental Western organizations is "state-integrated" and "state-executed." Greg Austin believes the activity is, at worst, "state-rogue-conducted." Stepping down one rung on the state spectrum of responsibility ladder is far from enough to change US government policy towards China.

Sunday, May 10, 2015

I recently read a manuscript discussing computer crime and security. I've typed out several excerpts and published them below. Please read them and try to determine how recently this document was written.

The first excerpt discusses the relationship between the computer and the criminal.

"The impersonality of the computer and the fact that it symbolizes for so many a system of uncaring power tend not only to incite efforts to strike back at the machine but also to provide certain people with a set of convenient rationalizations for engaging in fraud or embezzlement. The computer lends an ideological cloak for the carrying out of criminal acts.

Computer crime... also holds several other attractions for the potential lawbreaker. It provides intellectual challenge -- a form of breaking and entering in which the burglar’s tools are essentially an understanding of the logical structure of and logical flaws inherent in particular programming and processing systems. It opens the prospect of obtaining money by means that, while clearly illegal, do not usually involve taking it directly from the till or the cashier’s drawer...

Other tempting features of computer crime, as distinct from other forms of criminal activity, are that most such crimes are difficult to detect and that when the guilty parties are detected not much seems to happen to them. For various reasons, they are seldom intensively prosecuted, if they are prosecuted at all. On top of these advantages, the haul from computer crime tends to be very handsome compared with that from other crimes."

The second excerpt describes the attitudes of corporate computer crime victims.

"The difficulties of catching up with the people who have committed computer crimes is compounded by the reluctance of corporations to talk about the fact that they have been defrauded and by the difficulties and embarrassments of prosecution and trial. In instance after instance, corporations whose assets have been plundered -- whose computer operations have been manipulated to churn out fictitious accounting data or to print large checks to the holders of dummy accounts -- have preferred to suffer in silence rather than to have the horrid facts about the frailty of their miracle processing systems come to public attention.

Top management people in large corporations fear that publicity about internal fraud could well affect their companies’ trading positions on the stock market, hold the corporations up to public ridicule, and cause all sorts of turmoil within their staffs. In many cases, it seems, management will go to great lengths to keep the fact of an internal computer crime from its own stockholders...

The reluctance of corporations to subject themselves to unfavorable publicity over computer crimes is so great that some corporations actually seem willing to take the risk of getting into trouble with the law themselves by concealing crimes committed against them. Among independent computer security consultants, it is widely suspected that certain banks, which seem exceptionally reluctant to admit that such a thing as computer fraud even exists in the banking fraternity, do not always report such crimes to the Comptroller of the Currency, in Washington, when they occur, as all banks are required to do by federal law. Bank officers do not discuss the details of computer crime with the press... [A] principal reason for this kind of behavior is the fear on the part of the banks that such a record will bring about an increase in their insurance rates."

The third excerpt talks about the challenges of prosecuting computer crime.

"In addition to the problems of detecting and bringing computer crimes to light, there are the difficulties of effectively prosecuting computer criminals. In the first place, the police, if they are to collect evidence, have to be able to understand precisely how a crime may have been committed, and that usually calls for the kind of technical knowledge that is simply not available to most police departments...

Another difficulty is that not only police and prosecutors but judges and juries must be able to find their way through the mass of technical detail before they can render verdicts and hand down decisions in cases of computer crime, and this alone is a demanding task. In the face of all the complexities involved and all the time necessary to prepare a case that will stand up in court, many prosecutors try to make the best accommodation they can with the defendant’s lawyers by plea bargaining, or else they simply allow the case to fade away unprosecuted. If they do bring a case to trial, they have the problem of presenting evidence that is acceptable to the court.

The fourth excerpt mentions "sophistication" -- a hot topic!

To somebody looking at the problem of computer crime as a whole, one conclusion that seems reasonable is that although some of the criminal manipulators of computer systems have shown certain ingenuity, they have not employed highly sophisticated approaches to break into and misuse computer systems without detection. In a way, this fact in itself is something of a comment on the security of most existing computer systems: the brains are presumably available to commit those sophisticated computer crimes, but the reason that advanced techniques haven’t been used much may well be that the haven’t been necessary."

The fifth excerpt briefly lists possible countermeasures.

"The accelerating incidence of computer-related crimes -- particularly in the light of the continuing rapid growth of the computer industry and the present ubiquity of electronic data-processing systems -- raises the question of what countermeasures can be taken within industry and government to prevent such crimes, or, at least, to detect them with precision when they occur...

In addition to tight physical security for facilities, these [countermeasures] included such internal checks within a system to insure data security as adequate identification procedures for people communicating with the computer... elaborate internal audit trails built into a system, in which every significant communication between a user and a computer would be recorded; and, where confidentiality was particularly important, cryptography..."

Now based on what you have read, I'd like you to guess in which decade these excerpts were written? By answering the survey you will learn the publication date.

Loading...

I'll leave you with one other quote from the manuscript:

The fact is, [a security expert] said, that “the data-security job will never be done -- after all, there will never be a bank that absolutely can’t be robbed.” The main thing, he said, is to make the cost of breaching security so high that the effort involved will be discouragingly great.